package org.springframework.vault.authentication;

import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.vault.authentication.AppRoleAuthenticationOptions;
import org.springframework.vault.authentication.AppRoleTokens;
import org.springframework.vault.authentication.AuthenticationSteps;
import org.springframework.vault.client.VaultHttpHeaders;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/springframework/vault/authentication/AppRoleAuthentication.class */
public class AppRoleAuthentication implements ClientAuthentication, AuthenticationStepsFactory {
    private static final Log logger = LogFactory.getLog(AppRoleAuthentication.class);
    private final AppRoleAuthenticationOptions options;
    private final RestOperations restOperations;

    public AppRoleAuthentication(AppRoleAuthenticationOptions appRoleAuthenticationOptions, RestOperations restOperations) {
        Assert.notNull(appRoleAuthenticationOptions, "AppRoleAuthenticationOptions must not be null");
        Assert.notNull(restOperations, "RestOperations must not be null");
        this.options = appRoleAuthenticationOptions;
        this.restOperations = restOperations;
    }

    public static AuthenticationSteps createAuthenticationSteps(AppRoleAuthenticationOptions appRoleAuthenticationOptions) {
        Assert.notNull(appRoleAuthenticationOptions, "AppRoleAuthenticationOptions must not be null");
        return getAuthenticationSteps(appRoleAuthenticationOptions, appRoleAuthenticationOptions.getRoleId(), appRoleAuthenticationOptions.getSecretId()).login("auth/{mount}/login", appRoleAuthenticationOptions.getPath());
    }

    private static AuthenticationSteps.Node<Map<String, String>> getAuthenticationSteps(AppRoleAuthenticationOptions appRoleAuthenticationOptions, AppRoleAuthenticationOptions.RoleId roleId, AppRoleAuthenticationOptions.SecretId secretId) {
        return getRoleIdSteps(appRoleAuthenticationOptions, roleId).zipWith(getSecretIdSteps(appRoleAuthenticationOptions, secretId)).map(pair -> {
            return getAppRoleLoginBody((String) pair.getLeft(), (String) pair.getRight());
        });
    }

    private static AuthenticationSteps.Node<String> getRoleIdSteps(AppRoleAuthenticationOptions appRoleAuthenticationOptions, AppRoleAuthenticationOptions.RoleId roleId) {
        if (roleId instanceof AppRoleTokens.Provided) {
            AppRoleTokens.Provided provided = (AppRoleTokens.Provided) roleId;
            provided.getClass();
            return AuthenticationSteps.fromSupplier(provided::getValue);
        }
        if (roleId instanceof AppRoleTokens.Pull) {
            return AuthenticationSteps.fromHttpRequest(AuthenticationSteps.HttpRequestBuilder.get("auth/{mount}/role/{role}/role-id", appRoleAuthenticationOptions.getPath(), appRoleAuthenticationOptions.getAppRole()).with(createHttpHeaders(((AppRoleTokens.Pull) roleId).getInitialToken())).as(VaultResponse.class)).map(vaultResponse -> {
                return (String) vaultResponse.getRequiredData().get("role_id");
            });
        }
        if (roleId instanceof AppRoleTokens.Wrapped) {
            return unwrapResponse(((AppRoleTokens.Wrapped) roleId).getInitialToken()).map(vaultResponse2 -> {
                return (String) vaultResponse2.getRequiredData().get("role_id");
            });
        }
        throw new IllegalArgumentException("Unknown RoleId configuration: " + roleId);
    }

    private static AuthenticationSteps.Node<String> getSecretIdSteps(AppRoleAuthenticationOptions appRoleAuthenticationOptions, AppRoleAuthenticationOptions.SecretId secretId) {
        if (secretId instanceof AppRoleTokens.Provided) {
            AppRoleTokens.Provided provided = (AppRoleTokens.Provided) secretId;
            provided.getClass();
            return AuthenticationSteps.fromSupplier(provided::getValue);
        }
        if (secretId instanceof AppRoleTokens.Pull) {
            return AuthenticationSteps.fromHttpRequest(AuthenticationSteps.HttpRequestBuilder.post("auth/{mount}/role/{role}/secret-id", appRoleAuthenticationOptions.getPath(), appRoleAuthenticationOptions.getAppRole()).with(createHttpHeaders(((AppRoleTokens.Pull) secretId).getInitialToken())).as(VaultResponse.class)).map(vaultResponse -> {
                return (String) vaultResponse.getRequiredData().get("secret_id");
            });
        }
        if (secretId instanceof AppRoleTokens.Wrapped) {
            return unwrapResponse(((AppRoleTokens.Wrapped) secretId).getInitialToken()).map(vaultResponse2 -> {
                return (String) vaultResponse2.getRequiredData().get("secret_id");
            });
        }
        throw new IllegalArgumentException("Unknown SecretId configuration: " + secretId);
    }

    private static AuthenticationSteps.Node<VaultResponse> unwrapResponse(VaultToken vaultToken) {
        return AuthenticationSteps.fromHttpRequest(AuthenticationSteps.HttpRequestBuilder.get("cubbyhole/response", new String[0]).with(createHttpHeaders(vaultToken)).as(VaultResponse.class)).map(vaultResponse -> {
            return (VaultResponse) VaultResponses.unwrap((String) vaultResponse.getRequiredData().get("response"), VaultResponse.class);
        });
    }

    @Override // org.springframework.vault.authentication.ClientAuthentication
    public VaultToken login() {
        return createTokenUsingAppRole();
    }

    @Override // org.springframework.vault.authentication.AuthenticationStepsFactory
    public AuthenticationSteps getAuthenticationSteps() {
        return createAuthenticationSteps(this.options);
    }

    private VaultToken createTokenUsingAppRole() {
        try {
            VaultResponse vaultResponse = (VaultResponse) this.restOperations.postForObject("auth/{mount}/login", getAppRoleLoginBody(this.options.getRoleId(), this.options.getSecretId()), VaultResponse.class, new Object[]{this.options.getPath()});
            Assert.state((vaultResponse == null || vaultResponse.getAuth() == null) ? false : true, "Auth field must not be null");
            logger.debug("Login successful using AppRole authentication");
            return LoginTokenUtil.from(vaultResponse.getAuth());
        } catch (RestClientException e) {
            throw VaultLoginException.create("AppRole", e);
        }
    }

    private String getRoleId(AppRoleAuthenticationOptions.RoleId roleId) throws VaultLoginException {
        if (roleId instanceof AppRoleTokens.Provided) {
            return ((AppRoleTokens.Provided) roleId).getValue();
        }
        if (roleId instanceof AppRoleTokens.Pull) {
            try {
                return (String) ((VaultResponse) this.restOperations.exchange("auth/{mount}/role/{role}/role-id", HttpMethod.GET, createHttpEntity(((AppRoleTokens.Pull) roleId).getInitialToken()), VaultResponse.class, new Object[]{this.options.getPath(), this.options.getAppRole()}).getBody()).getRequiredData().get("role_id");
            } catch (HttpStatusCodeException e) {
                throw new VaultLoginException(String.format("Cannot get Role id using AppRole: %s", VaultResponses.getError(e.getResponseBodyAsString())), e);
            }
        }
        if (!(roleId instanceof AppRoleTokens.Wrapped)) {
            throw new IllegalArgumentException("Unknown RoleId configuration: " + roleId);
        }
        try {
            return (String) ((VaultResponse) VaultResponses.unwrap((String) ((VaultResponse) this.restOperations.exchange("cubbyhole/response", HttpMethod.GET, createHttpEntity(((AppRoleTokens.Wrapped) roleId).getInitialToken()), VaultResponse.class, new Object[0]).getBody()).getRequiredData().get("response"), VaultResponse.class)).getRequiredData().get("role_id");
        } catch (HttpStatusCodeException e2) {
            throw new VaultLoginException(String.format("Cannot unwrap Role id using AppRole: %s", VaultResponses.getError(e2.getResponseBodyAsString())), e2);
        }
    }

    private String getSecretId(AppRoleAuthenticationOptions.SecretId secretId) throws VaultLoginException {
        if (secretId instanceof AppRoleTokens.Provided) {
            return ((AppRoleTokens.Provided) secretId).getValue();
        }
        if (secretId instanceof AppRoleTokens.Pull) {
            try {
                return (String) ((VaultResponse) this.restOperations.postForObject("auth/{mount}/role/{role}/secret-id", createHttpEntity(((AppRoleTokens.Pull) secretId).getInitialToken()), VaultResponse.class, new Object[]{this.options.getPath(), this.options.getAppRole()})).getRequiredData().get("secret_id");
            } catch (HttpStatusCodeException e) {
                throw new VaultLoginException(String.format("Cannot get Secret id using AppRole: %s", VaultResponses.getError(e.getResponseBodyAsString())), e);
            }
        }
        if (!(secretId instanceof AppRoleTokens.Wrapped)) {
            throw new IllegalArgumentException("Unknown SecretId configuration: " + secretId);
        }
        try {
            return (String) ((VaultResponse) VaultResponses.unwrap((String) ((VaultResponse) this.restOperations.exchange("cubbyhole/response", HttpMethod.GET, createHttpEntity(((AppRoleTokens.Wrapped) secretId).getInitialToken()), VaultResponse.class, new Object[0]).getBody()).getRequiredData().get("response"), VaultResponse.class)).getRequiredData().get("secret_id");
        } catch (HttpStatusCodeException e2) {
            throw new VaultLoginException(String.format("Cannot unwrap Role id using AppRole: %s", VaultResponses.getError(e2.getResponseBodyAsString())), e2);
        }
    }

    private static HttpHeaders createHttpHeaders(VaultToken vaultToken) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.set(VaultHttpHeaders.VAULT_TOKEN, vaultToken.getToken());
        return httpHeaders;
    }

    private static HttpEntity createHttpEntity(VaultToken vaultToken) {
        return new HttpEntity((Object) null, createHttpHeaders(vaultToken));
    }

    private Map<String, String> getAppRoleLoginBody(AppRoleAuthenticationOptions.RoleId roleId, AppRoleAuthenticationOptions.SecretId secretId) {
        HashMap hashMap = new HashMap();
        hashMap.put("role_id", getRoleId(roleId));
        if (!ClassUtils.isAssignableValue(AppRoleTokens.AbsentSecretId.class, secretId)) {
            hashMap.put("secret_id", getSecretId(secretId));
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, String> getAppRoleLoginBody(String str, @Nullable String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("role_id", str);
        if (str2 != null) {
            hashMap.put("secret_id", str2);
        }
        return hashMap;
    }
}
